Stream Security Solutions: Infrastructure Security

So far, our series on security and the IoT has focussed on the threats that endanger individuals and organisations online. If you missed them, check out our articles on What You Need to Know About IoT Botnets and Security and the IoT: Public IP Addressing. In the next couple of articles, I'd like to explain the measures Stream have in place to protect our customers from these threats.

First up I'll explain how our infrastructure helps to guard against unwanted intruders. In the next post, I'll tell you about how we monitor device behaviour to detect security red flags and I'll explain the security features of our connectivity management platform, IoT-X.

Infrastructure Security

Network infrastructure is at the front line when it comes to protecting your organisation's online security. Serving as the point of entry to your application, if the network infrastructure is not secure your organisation could be exposed to online threats and cyberattacks. There are several factors which bolster the security of Stream's infrastructure and I'll be explaining the key points in turn.

The headlines are:

  • Stream's network is "sensible by design".
  • To keep customer data private, our network is segmented into subnets.
  • Instead of connecting to devices using a public IP (Internet Protocol), our customers must use one of the secure access methods that we support.

Sensible by Design

First and foremost, Stream's network is sensible by design. What do we mean by this? Simply that our network is configured to use secure settings by default. Using secure network settings by default makes sense, not only in terms of security, but it also minimises the workload for our customers - the more secure our infrastructure is by default, the fewer settings customers need to change.

Here's a couple of examples of secure settings that we've implemented by default:

  • Inbound Public Internet Access Is Blocked by Default
    To minimise the risk of your devices being tampered with or your data being accessed by nefarious third-parties, we've blocked inbound traffic from the public internet from accessing them by default. This helps to keep your private network private
  • Peer-to-Peer Communications Are Blocked by Default
    Peer-to-peer communications between devices on the network are blocked by default. Instead, any devices that need to communicate with one another must do so by sending messages through Stream's secure infrastructure. This minimises the risk of one compromised device from infecting the entire network.

Network Segmentation

Since numerous customers use Stream's network to transmit data, we need to have measures in place to ensure that each customer's data remains private from the other users on the network. To solve this problem, Stream's infrastructure is divided into separate subnetworks, or segments, with each customer operating on a discrete subnetwork. To ensure that one customer does not have access to another customer's data, traffic is blocked from travelling between subnets.

Each company using our network can request further layers of segmentation within their subnetwork. This capability is often utilised by customers who function as connectivity resellers, as it enables them to onboard multiple companies and ensure that each of their customer's traffic is private.

Secure Access Methods

Stream's network infrastructure is private, secure and has a proven track record of resilience and reliability. Part of the reason for this is that our network is completely private from the public internet, which means that our customers' devices are protected from attacks from external parties.

One of the measures we've taken to protect the integrity of our infrastructure is to prohibit the use of public IP addresses on our network. This protects the devices on our network from unwanted access attempts and keeps them isolated from the public internet. Instead of connecting to their devices using a public IP, our customers must use a secure access method. Secure access methods that Stream support include DINA, OpenVPN, IPsec and fixed line connections.


Key Points:

  • Dial-on-demand service.
  • Allows customers to establish a one-to-one connection with a device.
  • Provides location flexibility.

Direct Inbound Access, or DINA, is a proprietary secure access technology designed by Stream. It provides a convenient way for customers to establish a secure, one-to-one connection with a device from any location on the internet, on-demand. This means that customers can establish a DINA connection even when they are remote from their corporate network. DINA combines the convenience of fixed public IP addressing with many of the security advantages of a VPN (Virtual Private Network).

DINA allows customers to temporarily map a public IP address to a device. This enables a direct inbound connection to be established with a device and allows customers to access their device via a web page. To ensure that the connection is secure, DINA devices are not directly exposed to the public internet and any access attempt must be authenticated using IoT-X, the DINA website or the IoT-X API. Unlike public IP addressing, DINA provides customers with authenticated access to their device estate and it removes the need to set up complex VPN technologies.


Key Points:

  • Dial-on-demand service.
  • Allows customers to establish a one-to-many connection with devices.
  • Provides location flexibility.

OpenVPN is an open-source software application that allows customers to establish a secure VPN connection with their devices. Like DINA, OpenVPN is a dial-on-demand service, however, it is different from DINA in that it allows customers to establish a one-to-many connection with their entire device estate. Instead of establishing a direct connection with a device, OpenVPN establishes a connection with Stream's firewall. Once a connection has been established, the customer can connect to any of the devices that sit behind Stream's firewall.

OpenVPN provides location flexibility since, a connection can be established from any location on the internet. This means that customers can connect to their devices even when they are remote from their corporate network.


Key Points:

  • Always on service using a software connection.
  • Allows customers to establish a one-to-many connection between their corporate network and Stream's network.
  • The connection must be established from the customer's corporate network.

IPsec is a suite of standardised network protocols that enable key security features, such as data encryption and authentication, to be implemented across an IP network. If customers are transmitting data over an unsecured IP network, such as the public internet, they are likely to be concerned about the risk of malicious third-parties snooping on their traffic. IPsec provides protection against this issue since it ensures that communications between devices operating over a public network are encrypted and secure.

IPsec establishes a secure tunnel between the parties involved in a data transmission. All data travelling through this tunnel is encrypted and secure against access from third-parties. Accessing your devices using an encrypted IPsec tunnel means that unwanted users or applications cannot access or modify data as it is being transmitted.

Stream's IPsec services deliver the following benefits:

  • Data Integrity
    Stream's IPsec services ensure that data is not tampered with or modified while it traverses the network.
  • Authentication
    IPsec ensures that data received from a device is from an authentic source. This means that received data has come from a credible source, rather than a malicious party masquerading as the source.
  • Confidentiality
    This means that data cannot be copied or examined while it traverses the network.

Fixed Line Connections

Key Points:

  • Always on service using a fixed wire.
  • Allows customers to establish a one-to-many connection between their corporate network and Stream's network.
  • The connection must be established from the customer's corporate network.

A fixed line connection, sometimes also called a direct connect, allows customers to establish a dedicated network connection between their network and Stream's infrastructure using a fixed line. This usually relies on Stream and the customer having network hardware in the same data centre, so that a wired connection can be established.

A fixed line connection provides extremely high levels of privacy and security as it completely bypasses the public internet. A fixed line connection can be thought of as a "network to network" form of connectivity. This means that, unlike DINA and OpenVPN, the customer cannot to access their devices from any location on the internet, instead they must be using a device that is inside their corporate network.

More to Follow...

In the next article, I'll be explaining more of Stream's security features, including how we monitor device behaviour to detect security red flags and I'll detail some of the security features of our connectivity management platform, IoT-X.

Until then, stay tuned and be sure to follow us on:

Twitter: @StreamTechLtd
Facebook: /StreamTechUK